just another infosec blog

Proxies in the shade

A few years ago when Norwegian politicians voted in favor of implementing the Data Retention Law, a directive proposed by the EU, many minds got stirred. The wannabe security guru’s and their dog suddenly woke up and wrote countless tutorials on how to remain anonymous on the Net. I have lost count of articles mentioning Tor, VPN and proxies. Some even found they way into newspaper and magazine articles thus making the more common man aware of being anonymous. I support the effort – it’s just that with these services you never know.

Many of these articles have a list of public proxies you can pick and choose from. When a proxy has been chosen you typically configure, say, Firefox to route its traffic to it. The proxy receives the traffic, “washes” any clues pointing to you and then relays the traffic to its destination point. Then it routes the result back to you. It appears as a safe and “sane” way to anonymize yourself on the Net. But is it so? I beg to differ.

Let me asks you some questions:

did you know where the proxy was located?

did you know who provided the proxy?

can you be sure the proxy did not tamper your traffic?

can you be sure the proxy did not store your cookie, username and password data?

If you answered ‘no’ to one of these questions, then congratulations. You might have been hacked. By looking at the lists of proxies you might have noticed that many of them were just a bunch of numbers. These are called IP addresses. Unless you are really tech savvy the chances are that you don’t know in which country the proxy is located. Would you use a proxy located in, say, Russia or Belarus? Given that you have located which country the proxy is located in, do you know who runs it? It could be a well known and trusted company – or in the worst case, the mafia or a hacking collective. Okay we are in deep waters here. What if you were doing some online shopping using this proxy? You add items to your basket and asks to be billed later. How can you be sure that what you see at the checkout is what is sent to the end server? A proxy could very well intercept the traffic and present whatever it likes to the end server – and you. Speaking of which – you had to log into the online shopping facility. How can you be sure that the proxy didn’t sniff your traffic for any usernames or passwords, or cookie information? Oh my. You just couldn’t know, do you?

As a proof of concept I have prepared a Ruby based proxy in my “sandbox” environment demonstrating this. It’s just a dumb piece of software that relays HTTP traffic sent to it. When it receives any traffic it spawns some threads handling the traffic. Before it relays the traffic further it extracts cookie information and scans for what appears as username and password. It does the same for the end point response also. But – before the response is relayed back to the user it inserts some typos here and there. You wouldn’t really notice it unless you are a strict grammar nazi. IMHO it works really nice. It does what it is supposed to do.

In theory I could have let it loose in the wild by adding the IP of it to any of the proxy lists on the Net and just sit back and wait. But – it runs only in my sandbox environment and will never be released to the public. Given that I had added it to any of the proxy lists available – would you even suspect that anything happened behind the curtain?

Anonymizing yourself using a proxy isn’t very safe – if you think about it for a minute. Yes, you might minimize the risk of the “state” or government tracking you. At the same moment you’ve maximized the risk of anyone else than the “state” or government knowing everything about you. Hm. Maybe paying for a serious VPN service wasn’t that bad after all? But again – you don’t really know if they are tied to the government either …